Minnesota Sheriff Must Release Emails on Use of Biometric Technology

When EFF launched a campaign last year to encourage the public to help us uncover police use of biometric technology, we weren’t sure what to expect. Within a few weeks, however, hundreds of people joined us in filing public records requests around the country.

Ultimately, dozens of local government agencies responded with documents revealing devices capable of digital fingerprinting and facial recognition, while many more reported back—sometimes erroneously—that they hadn’t used this technology at all. Several, however, either didn’t respond, demanded exorbitant fees, or outright rejected the requests.

EFF has now joined the ACLU of Minnesota in filing an amicus brief [.pdf] in a particularly egregious case now before the Minnesota Court of Appeals, demanding the release of emails regarding the Hennepin County Sheriff Office’s facial recognition program.

In August 2015, web engineer and public records researcher Tony Webster filed a request based on EFF’s letter template with Hennepin County, a jurisdiction that includes Minneapolis, host city of the 2018 Super Bowl. He sought emails, contracts, and other records related to the use of technology that can scan and recognize fingerprints, faces, irises, and other forms of biometrics.

In an April 22 order, Administrative Law Judge Jim Mortenson described four months of unexplained delays, improperly redacted records, inadequate answers and other behavior by county officials in response to Webster’s request.

The county’s actions violated the Minnesota Government Data Practices Act (MGDPA), Mortenson found. He fined the county $300, the maximum allowed by law; ordered it to pay up to $5,000 in Webster’s attorney’s fees; refund $950 of the filing fee, and pay $1,000 in court costs.

Perhaps most significant, he ordered the county to figure out a way to make its millions of e-mail messages publicly accessible by June 1.

It was a huge victory for Webster. But Hennepin County appealed, and thus a skirmish over biometric records has become a crucial battleground over the public’s right to access the emails of government officials across the state of Minnesota.

Biometric technology is an emerging threat to privacy. By biometrics, we mean the physical and behavioral characteristics that make us unique, such as our fingerprints, faces, irises and retinas, tattoos, gaits, and more. Police around the country have begun adopting and testing these systems. The devices are often mobile, such as handheld devices or smart phone apps.

Some emails that Webster already received show that the Hennepin County Sheriff’s office is contemplating using facial recognition technology on still images in investigations. Even more concerning, there’s evidence that in the next two years the sheriff intends to use real-time facial recognition to identify people in surveillance cameras streams, including those owned by private entities.

The records obtained show that jail inmates had their mugshots enrolled in a system designed by the German firm Cognitec. One particular email showed how the $200,000 system poses a threat to the privacy of individuals not involved in crimes and presents a significant financial burden on taxpayers. As a criminal informational analyst with the Hennepin County Sheriff’s Office wrote:

"[The] system is so good I’ve found possible matches that turned out to be close relatives…It costs a shit-ton … but I love it.”

In our brief, we draw from the wealth of records EFF, and our partners at MuckRock News, received through the crowdsourcing campaign to explain why these emails are key to informing the public debate over mobile biometrics.

Using the documents released in response to these requests, EFF has been able to report on nine agencies using biometric technology in California. The documents revealed that most of the agencies are using digital fingerprinting devices, and many are also using iris, palm, and facial recognition technology, or plan to use them in the future. One of EFF's partner organizations used these same records to map the ties between the biometric contractors mentioned in the documents and firms in the defense and security industries that are deeply embedded in the national security apparatus. EFF is continuing to review records released by other agencies.

The brief also explains how emails often contain some of the most important information:

Emails released to other requesters have been equally revealing. For example, emails released by Miami-Dade County, Florida showed how MorphoTrak, a large biometrics vendor serving forty-two states' DMVs and many federal agencies, underpriced the devices in its invoices but increased the price later. Emails between the Phoenix, Arizona Police Department and its vendor revealed information about the sole-source procurement process. And emails released by the Polk County, Florida Sheriff's Office describe the timeline for installing biometrics devices in squad cars and outline the training process for using the devices.

EFF hopes the appellate judges recognize that democracy functions best when the public debate is informed by government records and deny Hennepin County’s attempts to shield its emails from scrutiny.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020. The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for...

Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that...

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement. Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those...

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s...

In back-to-back hearings last week, the House and the Senate discussed what, if anything, Congress should do about online privacy. Sounds fine—until you see who they invited. Congress should be seeking out multiple, diverse perspectives. But last week, both chambers largely invited industry advocates, eager to...

San Francisco - Technology is supposed to make our lives better, yet many big companies have products with big security and privacy holes that disrespect user control and put us all at risk. The Electronic Frontier Foundation (EFF) is launching a new project called “Fix It Already!” demanding repair...

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on...

Update, 2:35 p.m.: The coalition of groups behind Privacy for All has grown since time of publishing. This update reflects the latest count. Privacy is a right. It is past time for California to ensure that the companies using secretive practices to make money off of our personal information treat...